RE: [TLS] Updated TLS 1.2 I-D

[<Pasi.Eronen@nokia.com>]

Eric Rescorla wrote:
 
> The big thing I know is misisng is replaceable PRFs, which
> I wanted to discuss on the mailing list before I put in.
> As people will recall, there was a consensus on replaceable
> PRFs/KDFs in Dallas but we didn't discuss exactly how to do
> them.
> 
> My proposal is as follows:
> 
> - All PRFs must have the same "API" as the existing TLS 
>   PRFs.
> - New cipher suites MAY have as part of their specification
>   a new PRF.
> - There is no way to separately negotiate a new PRF for
>   an existing cipher suite.

I like this approach; it's simple, and I'm not convinced that anything
more complicated is needed. As was already pointed out some time ago,
even the current PRF looks quite secure: if someone really needs a
special PRF due to e.g. regulatory requirements, they'll probably 
need a new ciphersuite anyway.

However, I would take the approach even further towards simplicity:
use the current TLS PRF for all existing ciphersuites (instead of
tying it to the ciphersuite's MAC algorithm). Or in other words:
consider PRF as a property of the ciphersuite's key exchange 
algorithm (instead of the TLS protocol version or a property
that can be negotiated independent of key exchange algorithm).

(The document would then need a couple of new ciphersuites for 
the new PRF, but probably not very many combinations; after all,
if someone's worried that the current PRF is insecure, they're
not likely to use RC4 or IDEA. Maybe these new ciphersuites
could be the combined-mode ones.).

Best regards, 
Pasi

_______________________________________________
TLS mailing list
TLS@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls